Reliability of sequential systems using the causeconsequence diagram method

Transcription

1 Loughborough University Institutional Repository Reliability of sequential systems using the causeconsequence diagram method This item was submitted to Loughborough University's Institutional Repository by the/an author. Citation: ANDREWS, J.D. and RIDLEY, J.M., Reliability of sequential systems using the causeconsequence diagram method. Proceedings of the Institution of Mechanical Engineers, Part E : Journal of Process Mechanical Engineering, 215 (3), pp Additional Information: This article was published in the journal, Proceedings of the Institution of Mechanical Engineers, Part E : Journal of Process Mechanical Engineering [ c IMechE] and is also available at: Metadata Record: Publisher: c IMechE / Professional Engineering Publishing Please cite the published version.

2 This item was submitted to Loughborough s Institutional Repository ( by the author and is made available under the following Creative Commons Licence conditions. For the full text of this licence, please go to:

3 207 Reliability of sequential systems using the cause consequence diagram method J D Andrews and L M Ridley* Department of Mathematical Sciences, Engineering Mathematics Division, Loughborough University, Leicestershire, UK Abstract: In many industrial systems, where safety is of the utmost importance, it is necessary that expedient tools for accident analysis are available and employed at the design stage. Such tools must be able to handle large systems in a systematic way and display the factors that are of vital importance for the functionality of the system. The technique of fault tree analysis (FTA) is commonly used to assess the failure probability of such systems. The fault tree represents the failure logic of the system in an inverted tree structure and has the advantage that it provides very good documentation of the way the failure logic was developed. Conventional fault tree quanti cation requires a number of assumptions regarding the system. One of these is that the basic events in the tree occur independently. This condition is not satis ed when sequential failures are encountered. Employing alternative methods, such as Markov methods, can result in the loss of the documentation that represents the failure logic of the system. The cause consequence diagram method is a tool that, like fault tree analysis, documents the failure logic but has the extra capability enabling the analysis of systems subject to sequential failures. In addition, the cause consequence diagram identi es the complete set of system responses to any given initiating event. This paper is concerned with the cause consequence diagram method and its application to sequentially operating systems. It extends previous work by providing more rigorous guidelines to enable the construction of the diagram and an analysis methodology that can be used when dependencies exist between the events featured in the decision boxes. A new symbol distinguishing between events that exist at a speci ed point in time and those that occur at that time is introduced to facilitate the analysis. Keywords: cause consequence analysis, fault tree analysis, dependencies 1 INTRODUCTION When investigating potential accident sequences, the time between the occurrences of events can be an important parameter [1]. This type of system could be characterized as one with various shutdown mechanisms that are initiated given the presence of some initiating event, e.g. when a pressure limit is exceeded. In order to identify all relevant accidents for a such a system, Nielsen stated that the safety assessment tool used must be able to determine the possible causes of the accident The MS was received on 15 June 2000 and was accepted after revision for publication on 17 May *Corresponding author: Department of Mathematical Sciences, Engineering Mathematics Division, Loughborough University, Loughborough, Leicestershire LE11 3TU, UK. event and identify the possible consequences given that one or more of the accident limiting provisions could fail. The technique of fault tree analysis (FTA) [2] is commonly used to assess the probability of failure of industrial systems. This method represents the failure logic of the system in an inverted tree structure and provides very good documentation of the way that the system failure logic was developed. The FTA technique, however, is incapable of identifying both the possible causes of an undesirable event AND all the possible consequences resulting from it. In addition to this, the FTA method cannot accurately analyse systems containing sequential failures. Markov models [3] do not require the assumption of independence, as with the FTA method, and can therefore be used accurately to analyse sequential failures. This modelling technique describes the system in a state transition diagram. The state E03200 Ó IMechE 2001 Proc Instn Mech Engrs Vol 215 Part E

4 208 L M RIDLEY AND J D ANDREWS transition diagram is not as easy to construct as a fault tree and contains no textual description regarding the failure logic of the system. As with the FTA method, the Markov analysis method has the ability to identify the possible causes of the undesirable events yet is incapable of identifying all the possible consequences resulting from it. A technique has been developed that possesses the ability to identify the causes of an undesired event and from this event develop all possible system consequences. The technique is known as the cause consequence diagram method. The cause consequence diagram method was developed at RISO National Laboratories, Denmark, in the 1970s, speci cally to aid in the reliability and risk analysis of nuclear power plants in Scandinavian countries [4]. The method was created to assist in the cause consequence accident analysis of the nuclear plants, which involved identi cation of the potential modes of failure of individual components and then relating these causes to the ultimate consequences for the system [5]. The method can be seen as superior to event tree analysis (ETA) [4], which is also capable of identifying all consequences of a given critical event, as it models at component level and therefore is functionality driven and not subsystem driven. In addition to this, the cause consequence diagram method can account for time delays, which is not a feature available in the ETA method. Nielsen stated that, as well as being a tool for illustrating the consequences of particular failures, the method could also serve as a basis from which the probability of occurrence of the individual consequences could be evaluated. The consequences evaluated include those that illustrate the system functioning as intended and those that illustrate an undesirable failure sequence. Several authors have used the technique as the main analysis tool for a safety assessment [6 9]. However, the documentation of the quanti cation of the cause consequence diagram is limited and a generalized analysis method or even rigorous de nitions of the meaning of the symbols to enable quanti cation is yet to be developed. This is the subject considered in this paper. Rules for construction and quanti cation of the cause consequence diagram have been developed and applied to an industrial system. The quanti cation method developed can be automated for computerized system assessment and has the capability to deal with dependencies that can occur when analysing systems whose operation is sequential. These dependencies include component failures that are repeated as causes of more than one decision box event. The occurrence of such a common event therefore in uences the outcome of more than one of the decision boxes in any path. A second class of dependent events encompasses those events whose failures are inconsistent, and the occurrence of a speci c component failure mode excludes the possibilities of other components failing, which feature in other parts of the diagram and are therefore mutually exclusive. 2 CAUSE CONSEQUENCE DIAGRAM METHOD The main principle of the cause consequence diagram technique is based on the occurrence of a critical event, i.e. an event that disturbs the balance of the process plant. The identi cation of the critical event is problem dependent, and choosing the correct place to start is important as there are very many possible initial events, not all of which have serious consequences. Focus should therefore only be made on functional failures of process components that directly affect the plant balance. Once a critical event has been identi ed, all relevant causes of the critical event and potential consequences are developed using two conventional reliability analysis methods. This situation is represented in Fig. 1. The two reliability analysis tools used in the development of the cause consequence diagram method are the FTA method and the ETA method. The FTA method is used in two independent situations to describe the causes of an undesired event. Firstly, the technique is used to describe the causes of the critical event. The second function for the fault tree method is to describe the failure causes of the accident-limiting systems (emergency shutdown systems). The event tree method is used as the link between the causes of the critical event and the various consequences that could result. The method is used to identify the various paths that the system could take, following the critical event, depending on whether certain subsystems/components function correctly or not. The relationship between the two reliability methods is shown in Fig. 2. Fig. 1 Simple representation of a cause consequence diagram structure Proc Instn Mech Engrs Vol 215 Part E E03200 Ó IMechE 2001

5 RELIABILITY OF SEQUENTIAL SYSTEMS 209 Fig. 2 Basic structure of a cause consequence diagram 3 SYMBOLS FOR CONSTRUCTION The symbols used for the construction of a cause consequence diagram are depicted in Table 1. The overall structure of the cause consequence diagram method is depicted in Fig RULES FOR CONSTRUCTION Rules for the construction of a cause consequence diagram can be detailed in two separate sections, those for the cause part of the diagram and those for the consequence part of the diagram. For the cause part it should be noted that the rules postulated are those used in the construction of a fault tree structure. The rules for the construction of the cause diagram can be summarized as a three-step procedure: 1. Identi cation of the top event. The construction of the cause diagram begins with the de nition of the undesired event, i.e. the system failure of interest. 2. Cause diagram development. Using a deductive process, the causes of the undesired event are discovered and connected by means of logical gates. The procedure is repeated until all events have been fully developed, i.e. the basic events are reached. 3. Validation of the diagram. For each gate used, all inputs must be both necessary and suf cient to produce the output event. Similarly, a set of rules were devised for the construction of the consequence diagram: 1. Component ordering. The rst step of the cause consequence diagram construction is deciding on the order in which component failure events are to be taken. To ensure a logical development of the causes of the system failure mode, it was decided that the ordering should follow the temporal action of the system, for example the system activation for the function required given an initial critical event. 2. Consequence diagram development. The second stage involves the actual construction of the diagram. Starting from the initiating component, the functionality of each component or subsystem is investigated and the consequences of these sequences determined. If the decision box is governed by a subsystem, then the probability of failure will be obtained via a fault tree diagram. 3. Reduction. If any decision boxes are deemed irrelevant, for example the boxes attached to the NO and YES branches are identical and their outcomes and consequences are the same, then these should be removed and the diagram reduced to a minimal form. Removal of these boxes will in no way affect the end result. 5 RULES FOR QUANTIFICATION The procedure for analysing an independent system modelled using a cause consequence diagram begins with the assignment of probabilities/frequencies to each outlet branch stemming from a decision box. Following this, the probability of any one sequence is obtained by multiplication of the probabilities associated with each decision box in that sequence [10]. The probability of any particular consequence is then obtained by the summation of the probability of each sequence that terminates in that consequence. This procedure, however, cannot be employed unless the failures of each decision box in a sequence are independent. Dependencies can exist in the cause consequence diagram, and these must be dealt with prior to the quanti cation of the diagram. 5.1 Rules for dependent failure events Common failure events The rst dependency that can arise is that the same failure event exists in more than one fault tree structure on the same path in the cause consequence diagram. In order to deal with a common failure event, the event is extracted from the fault tree structures and placed in a new decision box preceding the rst decision box that contains the common failure event. The original cause consequence diagram is then duplicated on each outlet branch stemming from the new decision box. Following the NO outlet branch of the new decision box, the failure event is set to TRUE in any fault tree structure in which it is found. Similarly, following the YES outlet branch, the E03200 Ó IMechE 2001 Proc Instn Mech Engrs Vol 215 Part E

6 210 L M RIDLEY AND J D ANDREWS Symbols for cause diagram Table 1 Symbols used for construction of a cause consequence diagram Function description AND GATE: Allows causality to pass up through the tree if at any time all inputs to the gate occur OR GATE: Allows causality to pass up through the tree if at any time at least one input to the gate occurs Symbol for consequence diagram Function description The decision box represents the functionality of a component/ system. The NO box represents failure to perform correctly, the probability of which is obtained via a fault tree or single component failure probability q i Fault tree arrow represents the number of the fault tree structure that corresponds to the decision box The initiator triangle represents the initiating event for a sequence where l indicates the rate of occurrence Time delay 1 indicates that the time starts from the time at which the delay symbol is entered and continues up to the end of the time interval in the delay symbol OR gate symbol: Used to simplify the cause consequence diagram when more than one decision box enters the same decision box or consequence box Existence decision box represents a component existing in a certain state Consequence box represents the outcome event due to a particular sequence of events Proc Instn Mech Engrs Vol 215 Part E E03200 Ó IMechE 2001

7 RELIABILITY OF SEQUENTIAL SYSTEMS 211 Fig. 3 Cause consequence diagram structure probability of failure of the common failure event is set to FALSE in any fault tree structure in which it is present Inconsistent failure events In certain systems, components are required to perform different functions which, if successfully accomplished, results in the components residing in different states at different times. For example, initially a valve may be required to be closed and later in the sequence be open. For systems that are not in continuous operation, certain component failures could occur between operations. For example, the valve could fail between operations, which would be the cause of the valve being closed at the start of the next sequence, and later in the sequence the valve would be unable to open. To illustrate this, the simple cause consequence diagram section shown in Fig. 4 can be utilized with the relevant fault trees depicted in Fig. 5. In this example, the component K2 is required to perform two different functions; rstly to close-decision box 1, and then, later in the sequence, to open-decision box 3. In order to model this type of failure accurately, the cause consequence diagram requires modi cation E03200 Ó IMechE 2001 Proc Instn Mech Engrs Vol 215 Part E

8 212 L M RIDLEY AND J D ANDREWS Fig. 4 Example cause consequence diagram prior to quanti cation. Employing a basic event labelling convention in a fault tree structure can be used to identify an inconsistent failure event. If two labels are the same apart from the last character, then they are deemed as inconsistent failure events and the rst failure event represents the decision box containing the rst failure mode and the second failure event represents the decision box containing the second failure mode. This can be seen for the cause consequence diagram in Fig. 4, where Ft1 contains the basic event K2CO, the rst failure mode, and Ft3 contains the basic event K2CC, the second failure mode. Following the identi cation of an inconsistent failure event, the second failure mode is inspected and, depending on whether the second failure mode is an unrevealed or revealed failure event, the cause consequence diagram is different. If the second failure mode is a revealed failure, then it cannot fail between operations and be undetected. Therefore, the time to failure of the second failure mode is set equal to the time it takes the system to travel from the rst failure event to the second failure event. If, on the other hand, the second failure mode is unrevealed, then it can occur between operations and be undetected. When this situation occurs, the second failure mode is extracted and placed in an existence decision box preceding the rst failure event. The cause consequence diagram is then duplicated on both outlet branches and, following the YES outlet branch of the existence decision box, the decision box containing the rst failure mode is governed by the failure of the second failure mode. The second failure mode probability is set equal to 1 in all decision boxes beneath the existence decision box, and the rst failure mode is set equal to 0. Therefore, for Fig. 4, assuming K2CC is an unrevealed failure event, the cause consequence diagram illustrated in Fig. 6 would be created and reduced to the form shown in Fig. 7. Following the NO outlet branch of the existence decision box results in the same scenario as if the failure had in fact been a revealed failure. Therefore, the second failure event occurs in the time it takes the system to travel from the rst failure event to the second failure event. Following the inspection of each sequence path in the cause consequence diagram, and modi cation due to any identi ed dependent failure events, the cause consequence diagram can be quanti ed by multiplying the probability associated with each decision box in each sequence. The probability of any consequence is then obtained via the summation of the probability of any sequence that terminates in that consequence. 6 PRESSURE TANK SYSTEM The system used to illustrate the construction of a cause consequence diagram is a pressure tank system that contains a start-up, shutdown sequence in addition to its operational phase [11]. The system con guration is given in Fig. 8 and the component individual functions and failure modes are represented in Table 2. Initially, the system is considered to be in a dormant state and therefore de-energized. Switch S1 and relay contacts K1 and K2 are all open when in the dormant state, and the timer and pressure switch contacts are Fig. 5 Fault trees for the example cause consequence diagram Proc Instn Mech Engrs Vol 215 Part E E03200 Ó IMechE 2001

9 RELIABILITY OF SEQUENTIAL SYSTEMS 213 Fig. 6 Modi ed cause consequence diagram for inconsistent failure modes closed. Depressing switch S1 provides power to the coil of K1 which results in the closure of the K1 contacts. Relay K1 self-latches when S1 opens when released, and power is also supplied to K2, resulting in K2 contacts closing, which starts the pump motor. It is assumed that the tank takes 30 min to ll, and once the pressure threshold is reached the pressure switch contacts open, de-energizing K2, which results in the removal of power from the pump motor. After a period of time the tank becomes empty and the pressure switch closes, which energizes K2. The pump restarts and the lling process commences again. The tank is lled twice daily and the system is inspected at 6 monthly intervals for dormant failures. In the event of the pressure switch failing to open, a safety feature is included in the form of the timer relay. Power is applied to the timer relay following the closure of the K1 contacts, which initiates a clock. If the clock registers 30 min of continuous pumping, then the timer relay contacts are opened which results in a break in the circuit to K1 and system shutdown. The rules developed for the construction of a cause Fig. 7 Reduced cause consequence diagram for inconsistent failure modes E03200 Ó IMechE 2001 Proc Instn Mech Engrs Vol 215 Part E

10 214 L M RIDLEY AND J D ANDREWS Fig. 8 Pressure tank system consequence diagram were used to construct the cause consequence diagram for the pressure tank system: Step 1. Component failure event ordering. The ordering of the components for the construction of the cause consequence diagram is selected by considering the temporal patterns of the system. For the pressure tank system, switch S1 is depressed, followed by its opening. Relay K1 energizes and powers K2 which powers the pump. Following 30 min of operation, the pressure switch should open. In the event that the pressure switch fails to open, the timer should time out and the timer contacts open. Given that the pressure switch opens, K2 contacts should de-energize, remov- Table 2 Component functions and failure modes Component Function Failure modes Effect on system Failure type Switch S1 To apply power to coil of relay K1 S1C: Switch failed closed Circuit remains energized but can Unrevealed be broken by K2 S1O: Switch failed open No power to energize circuit Revealed Relay K1 Electrically self-latched, applying power to relay K2 K1D: Relay fails de-energized No power to circuit Revealed K1CC: Contact fails closed Circuit remains energized but can Unrevealed be broken by K2 K1CO: Contact fails open No power to circuit Revealed Relay K2 Delivers power to the motor K2D: Relay fails de-energized No power to motor Revealed K2CC: Contact fails closed Continuous power to motor Revealed K2CO: Contact fails open No power to motor Revealed Timer relay (TIM) Pressure switch (PRSW) Provides emergency shutdown in event of pressure switch failing De-energizes coil of K2 when tank is full TIMCC: Timer contact fails closed TIMCO: Timer contact fails open Circuit energized but PRSW can open No power to motor Unrevealed Revealed PSWC: Fails closed Continuous power to motor Revealed PSWO: Fails open No power to motor Revealed Fuse To prevent power surge F: Fails broken No power to motor Revealed Power supplies 1 and 2 Supplies power to relays and motor PS1, PS2: No power No power to motor Revealed Motor Pumps uid into tank M: Fails broken No power to pump Revealed Proc Instn Mech Engrs Vol 215 Part E E03200 Ó IMechE 2001

11 RELIABILITY OF SEQUENTIAL SYSTEMS 215 Fig. 9 Cause consequence diagram for the pressure tank system ing power from the pump. Where the timer is required to break the circuit containing K1, K1 contacts should de-energize, removing power from K2, which results in the removal of the power supply to the pump. The ordering was therefore chosen to be S1, K1, K2, pressure switch, timer relay, K1, K2 It can be seen that the components K1 and K2 both occur twice in the ordering sequence. This is the result of the system containing two different phases, and hence some components perform different actions in each different phase. The components K1 and K2 are both required to close in the start-up sequence and open in the shutdown sequence. Steps 2 and 3. Cause consequence diagram construction and reduction. The cause consequence diagram was constructed by considering the effect of each component in the chosen order on the system performance. In order to highlight relevant features, only one lling sequence is investigated, the cause consequence diagram of which is given in Fig. 9. The corresponding fault trees are illustrated in Fig SYSTEM QUANTIFICATION Prior to multiplying the probabilities associated with each decision box in each sequence, the cause consequence diagram was checked for any dependent failure events. The following dependent failure events were identi ed* 1. Inconsistent failure event present in Ft1 and Ft2 as the switch is required to close, represented by decision box 1, and then open, represented by decision box 2. The second failure event, SIFC, is an unrevealed failure * Following each of the seven modi cations outlined, the cause consequence diagram may change. These changes result in the duplication of certain parts of the diagram that may contain the inconsistent failures mentioned; e.g. the inconsistent failures detailed in 2 and 3 occur more than once and are handled in an identical manners. E03200 Ó IMechE 2001 Proc Instn Mech Engrs Vol 215 Part E

12 216 L M RIDLEY AND J D ANDREWS Fig. 10 Fault trees for the pressure tank cause consequence diagram event (Table 2) and is therefore extracted and placed in an existence decision box preceding decision box 1. The cause consequence diagram is modi ed using the procedure detailed in Section Inconsistent failure event present in Ft3 and Ft5 as the pressure switch is required to be closed and then open. The second failure event, PSWC, is a revealed failure event (Table 2) and the time to failure of PSWC is set equal to 30 min (the lling time). 3. Inconsistent failure event present in Ft3 and Ft6 as K2 contacts are required to close and, following the tank ll, open. The second failure event, K2CC, is a revealed failure event (Table 2) and the time to failure of K2CC is set equal to 30 min (the lling time). 4. Common failure event present in Ft7 and Ft8. PS1 is extracted and placed in a new decision box preceding decision box 7. The cause consequence diagram is modi ed following the procedure detailed in Section Inconsistent failure event present in Ft7 and Ft12 as K1 contacts are required to close and then open. The second failure event, K1CC, is an unrevealed failure event (Table 2) and is therefore extracted and placed in an existence decision box. The cause consequence diagram is modi ed using the procedure detailed in Section Inconsistent failure event present in Ft7 and Ft11 as the timer contacts are closed and may be required to open later in the sequence. The second failure event, TIMCC, is an unrevealed failure event (Table 2) and is therefore extracted and placed in an existence decision box. The cause consequence diagram is modi ed using the procedure detailed in Section Following the appropriate modi cation owing to the dependent failure events identi ed, the nal cause consequence diagram was developed and is shown in Figs 11 and 12, with the corresponding fault trees given in Fig. 13. The probability of the system entering an overpressurized state was obtained using the component failure data shown in Table 3. The system functions twice daily and therefore the time between operations is 12 h. The probability of failure for revealed failures between operations was hence obtained using equation (1) with t ˆ 12 h. For unrevealed failures the probability of failure was obtained using y and t, given in Table 3, and equation (2): Q ˆ 1 e lt Q AV ˆ l y 2 t 1 2 The probability of each fault tree was calculated using the inclusion exclusion method (7), and the probability of overpressure was obtained by summing the probabilities of any sequence that terminated in the consequence O. There existed 12 such paths, and the probability of overpressure was calculated to equal In addition to obtaining the probability of overpressure, the probability of the tank being empty, a safe operation and a normal operation can also be calculated and shown to equal P (normal operation) ˆ 0:766 P (safe operation) ˆ 0:2213 P (empty tank) ˆ 1: Proc Instn Mech Engrs Vol 215 Part E E03200 Ó IMechE 2001

13 RELIABILITY OF SEQUENTIAL SYSTEMS 217 Fig. 11 First page of the nal cause consequence diagram for the pressure tank system E03200 Ó IMechE 2001 Proc Instn Mech Engrs Vol 215 Part E

14 218 L M RIDLEY AND J D ANDREWS Fig. 12 Second page of the nal cause consequence diagram for the pressure tank system Proc Instn Mech Engrs Vol 215 Part E E03200 Ó IMechE 2001

15 RELIABILITY OF SEQUENTIAL SYSTEMS 219 Fig. 13 Fault tree structures for Figs 11 and 12 8 CONCLUSIONS The main advantage of the FTA method is that the failure logic of a system is well documented on the fault tree structure. Conventional fault tree quanti cation, however, requires a number of assumptions, which renders the analysis of sequential or dependent systems inaccurate. For such systems, an accurate analysis can be obtained via a Markov model, but the state transition diagram used in the Markov analysis holds no textual description regarding the failure logic of the system. The cause consequence diagram method enables Table 3 Failure data for pressure tank system Component Failure rate Inspection interval, y Mean time to repair, t Switch S1 S1FC: S1FO: NA NA Relay K1 K1D: NA NA K1CC: K1CO: NA NA Relay K2 K2D: NA NA K2CC: NA NA K2CO: NA NA Timer relay TCC: TCO: NA NA Pressure switch PSWC: NA NA PSWO: NA NA Fuse F: : NA NA Power supplies 1 and 2 PS1: NA NA PS2: NA NA Motor M: NA NA E03200 Ó IMechE 2001 Proc Instn Mech Engrs Vol 215 Part E

16 220 L M RIDLEY AND J D ANDREWS sequential or dependent systems to be modelled accurately with the retention of the failure logic for the system. In addition to this, more than one consequence can be modelled at a time as the cause consequence diagram documents all system outcomes from a given critical event. In order to extend the capabilities of the cause consequence diagram method, a list of construction and quanti cation rules have been developed and illustrated using an example system. In particular, this paper provides more rigorous de nitions of the symbols used and the approach to be adopted to construct the cause consequence diagram. A new symbol is introduced to distinguish between events that exist at a speci ed time and those that occur at that time. Once the cause consequence diagram is constructed, its quanti cation can be complicated by dependencies between the events represented by the decision boxes. An approach to resolving this problem is given that can be automated within a computational analysis methodology. Dependencies attributed to either repeated events or inconsistent events can be accounted for in this way. REFERENCES 1 Nielsen, D. S. The cause/consequence diagram method as a basis for quantitative accident analysis. Danish Atomic Energy Commission, RISO-M-1374, May Andrews, J. D. and Moss, T. R. Reliability and Risk Assessment, 1993 (Longmans). 3 Billington, R. and Allan, R. Reliability Evaluation of Engineering Systems, 1983 (Pitman, London). 4 Villemeur, A. Reliability, Availability, Maintainability and Safety Assessment, 1991 (John Wiley, Chichester). 5 Nielsen, D. S. and Runge, B. Unreliability of a standby system with repair and imperfect switching. IEEE Trans. On Reliability, April 1974, 23, Taylor, J. R. Interlock design using fault tree analysis and cause consequence analysis. RISO-M-1890, Nielsen, D. S., Platz, O. and Runge, B. A cause consequence chart of a redundant protection system. IEEE Trans. On Reliability, April 1975, 24(1). 8 Nielsen, D. S., Platz, O. and Kongs, H. E. Reliability analysis of proposed instrument air system. RISO-M-1903, April Nielsen, D. S. Use of cause consequence charts in practical systems analysis. Reliability and Fault Tree Analysis, 1975, pp (SIAM). 10 Hickling, P. The use of cause consequence diagrams for the reliability analysis of sequentially operating systems. British Gas Report, Hassl, D. F., Roberts, N. H., Vesely, W. E. and Goldberg, F. F. Fault Tree Handbook, 1981, NUREG-0492 (US Nuclear Regulatory Commission). Proc Instn Mech Engrs Vol 215 Part E E03200 Ó IMechE 2001